Court Rules Accessing a Public Website Isn't A Crime, But Hiding Your IP Address Could Be

In the ongoing legal battle between craigslist and 3taps, a new court opinion makes clear that people are "authorized" under the Computer Fraud and Abuse Act (CFAA) to access a public website. But what the court gave with one hand it took with the other, as it also ruled that sending a cease-and-desist letter and blocking an IP address is enough to "revoke" this authorization.

3taps collects real-estate data from craigslist and makes it available to other companies to use. One of those companies, Padmapper, republished craigslist apartment postings over a map to enable users to view apartment listings geographically, a feature then unavailable on the craigslist site. Craigslist's terms of service prohibits people from "scraping" or copying data from craigslist's site.

After learning about 3Taps and its clients, craigslist sent 3taps a cease-and-desist letter demanding they stop using craigslist data this way and then blocked 3taps' IP address from accessing the craigslist site. Ultimately, craigslist sued 3taps in federal court, arguing that 3taps had violated the CFAA. 3taps moved to dismiss the case, arguing that under the Ninth Circuit Court of Appeals decision in United States v. Nosal, 3taps could not be liable under the CFAA for violating craigslist's terms of service.

While the court agreed with 3taps on this point, it questioned whether the CFAA even protected information available on a publicly accessible website like craigslist in the first place. After the court agreed to accept additional briefing on this point, we along with a number of law professors, filed an amicus brief with the court urging it to rule that everyone is "authorized" to visit a public website under the CFAA.

Last week, the court ruled that this interpretation of the CFAA "makes sense," meaning that everyone starts out as "authorized" to access a publicly accessible website. But it found that, with respect to 3taps, craigslist had used its "power to revoke, on a case-by-case basis, the general permission it granted to the public to access the information on its website" by sending the cease and desist letter and blocking 3taps' IP address. The decision is certainly a mixed bag.

First the positive.

It is encouraging to see courts recognize that the CFAA—which creates both civil and criminal liability—doesn't criminalize accessing information from a publicly accessible website. The government used that precise theory to prosecute Andrew "Weev" Auernheimer for exposing an AT&T security flaw that publicly revealed thousands of customers' email addresses. The possibility of imposing CFAA liability on someone from using information made freely available on the web posed a major threat on the openness and innovation of the Internet.

Moreover, by focusing on the IP blocking, the court essentially agreed with the basic principle we've suggested as a means to limit the reach of the CFAA: that there must be circumvention of a technological barrier before a person can be found to have "accessed" information or data "without authorization." In fact one proposal to reform the CFAA currently before Congress, "Aaron's Law," defines "access without authorization" to mean precisely that: "knowingly circumventing one or more technological or physical measures that are designed to exclude or prevent unauthorized individuals from obtaining that information." The court adopted this idea in principle when it found that craigslist's CFAA claim was based on something more than violating the terms of service of a publicly accessible website, and indeed something more than the cease and desist letter alone.

Now for the troubling part of the court's opinion.

We believe that the CFAA requires hacking—doing something that breaches a technological barrier, like cracking a password or taking advantage of a SQL injection.

Changing your IP address is simply not hacking. That's because masking your IP address is an easy, common thing to do. And there's plenty of legitimate reasons to do so, whether it's to protect your privacy, preserve innovation or avoid price discrimination. Plus, in the context of this case, craigslist's IP address blocking and cease-and-desist letter combined to essentially act as a "use" restriction. In other words, craigslist relied on these two things to enforce its terms of service upon 3taps.

There's a serious potential for mischief that is encouraged by this decision, as companies could arbitrarily decide whose authorization to "revoke" and need only write a letter and block an IP address to invoke the power of a felony criminal statute in what is, at best, a civil business dispute.

Hopefully future courts thinking about these issues can use the good aspects of this decision to recognize that violating a technological measure is necessary. But they need to think more critically about whether IP address blocking, even if coupled with a cease and desist letter, is enough for a CFAA violation.

Accessing a public website isn't a crime. Neither is hiding your online identity.

Related Updates

Good news out of the Ninth Circuit: the federal court of appeals heeded EFF’s advice and rejected an attempt by Oracle to hold a company criminally liable for accessing Oracle’s website in a manner it didn’t like. The court ruled back in 2012 that merely violating a...

The latest on the Computer Fraud and Abuse Act? It’s still terrible. And this year, the detrimental impacts of the notoriously vague and outdated criminal computer crime statute showed themselves loud and clear. The statute lies at the heart of the Equifax breach, which might have been averted if...

EFF, together with our friends DuckDuckGo and the Internet Archive, filed an amicus brief urging the Ninth Circuit Court of Appeals to reject LinkedIn’s request to transform the CFAA from a law meant to target serious computer break-ins into a tool for enforcing its computer use policies. The social...

EFF is fighting another attempt by a giant corporation to take advantage of our poorly drafted federal computer crime statute for commercial advantage—without any regard for the impact on the rest of us. This time the culprit is LinkedIn. The social networking giant wants violations of its corporate policy...

On November 4 and 5, the Internet Archive will host the Fifth Annual Aaron Swartz Day and Hackathon. Aaron would have turned 31 on November 8. The late activist, political organizer, programmer, and entrepreneur was a dear friend of EFF’s who made a lasting imprint on the Internet and...

Good news out of a court in San Francisco: a judge just issued an early ruling against LinkedIn’s abuse of the notorious Computer Fraud and Abuse Act (CFAA) to block a competing service from perfectly legal uses of publicly available data on its website. LinkedIn’s behavior is just the...

When McMansion Hell blogger Kate Wagner received Zillow’s letter last month demanding that she take down her architecture parody blog, she was scared. So scared that she temporarily disabled access to her blog via McMansionHell.com until she could find an attorney. We’re happy she found us at EFF...

Update 5:00pm: Zillow has released a statement saying the company has "decided against moving forward with legal action." EFF is pleased that Zillow has withdrawn its threat and won't be seeking to take down any of the posts on McMansion Hell. We hope that other companies seeking to shut...

Washington, D.C.—The Electronic Frontier Foundation (EFF) urged the U.S. Supreme Court to review a ruling that threatens to transform a law against computer break-ins into a mechanism for criminalizing password sharing and policing Internet use. In an amicus brief filed with today, EFF urged the court to weigh...

On January 18, 2012, the Internet went dark. Hundreds of websites went black in protest of the Stop Online Piracy Act (SOPA) and the PROTECT IP Act (PIPA). The bills would have created a “blacklist” of censored websites based on accusations of copyright infringement. SOPA was en route to quietly...